Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

ZynorRAT

ZynorRAT is a Go-based remote access trojan (RAT) identified by Sysdig that targets Linux and Windows systems. It uses Telegram as its primary command-and-control channel, specifically a bot identified as @lraterrorsbot (also referred to as "lrat"). Reported capabilities include directory listing (/fs_list), system enumeration (/metrics) including hostname, current user, and public IP via api.ipify.org, process listing (/proc_list), process termination (/proc_kill), file exfiltration (/fs_get) via Telegram sendDocument functionality, screenshot capture (/capture_display) using the github.com/kbinani/screenshot library, persistence on Linux through a systemd user service at ~/.config/systemd/user/system-audio-manager.service, and arbitrary shell command execution via bash -c when input does not match a hardcoded command. Sysdig observed attacker-bot interactions showing commands such as screenshot capture and shell commands being issued through Telegram. The malware was described as being in early development, with the Windows version appearing near-identical to the Linux version and still retaining Linux-based persistence logic. Supporting reporting states that samples were uploaded to VirusTotal beginning on 2025-07-08, with later samples showing reduced detection, suggesting active refinement for evasion. Sysdig assessed with high confidence that the malware is of Turkish origin based on Telegram chats, network logs, reverse engineering artifacts, and telemetry, and suggested it may be the work of a single developer, possibly using the name or nickname "halil." Distribution was linked to the file-sharing service Dosya.co, and testing activity was observed on cloud instances and development systems. A published Linux sample was an ELF 64-bit x86-64 Go binary with SHA256 bceccc566fe3ae3675f7e20100f979eaf2053d9a4f3a3619a550a496a4268ef5.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

14 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

2 techniques
T1059Command and Scripting InterpreterEvidence1

Compiled with Go, the Linux version supports a wide range of functions to enable file exfiltration ... and arbitrary command execution

T1059.004Unix ShellEvidence1

If the attacker’s input received by the malware does not match any of the command instructions listed above, the input itself is parsed and executed by default with bash -c <command>.

Persistence

1 technique
T1543.002Systemd ServiceEvidence2

Compiled with Go, the Linux version supports a wide range of functions to enable file exfiltration, system enumeration, screenshot capture, persistence through systemd services

Privilege Escalation

1 technique
T1543.002Systemd ServiceEvidence2

Compiled with Go, the Linux version supports a wide range of functions to enable file exfiltration, system enumeration, screenshot capture, persistence through systemd services

Discovery

4 techniques
T1033System Owner/User DiscoveryEvidence1

Once executed, the malware extensively profiles the compromised host

T1057Process DiscoveryEvidence2

/proc_list, to run the "ps" Linux command

T1082System Information DiscoveryEvidence2

Compiled with Go, the Linux version supports a wide range of functions to enable file exfiltration, system enumeration, screenshot capture ... /metrics, to perform system profiling

T1083File and Directory DiscoveryEvidence2

/fs_list, to enumerate directories

Collection

2 techniques
T1005Data from Local SystemEvidence1

The function handleGetFile, which is invoked by the /fs_get command, is responsible for processing file requests from the C2... If the requested file is found, the function calls the sendDocument function... that will send the file back to the Telegram bot.

T1113Screen CaptureEvidence2

/capture_display, to take screenshots

Command and Control

2 techniques
T1071Application Layer ProtocolEvidence1

Telegram serves as the main C2 infrastructure through which the malware receives further commands once deployed on a victim machine.

T1071.001Web ProtocolsEvidence1

Telegram serves as the main C2 infrastructure through which the malware receives further commands once deployed on a victim machine.

Exfiltration

2 techniques
T1041Exfiltration Over C2 ChannelEvidence2

Compiled with Go, the Linux version supports a wide range of functions to enable file exfiltration

T1567.002Exfiltration to Cloud StorageEvidence1

Further analysis of screenshots leaked via the Telegram bot has revealed that the payloads are distributed via a file-sharing service known as Dosya.co

Impact

1 technique
T1489Service StopEvidence2

/proc_kill, to kill a specific process by passing the PID as input

INDICATORS OF COMPROMISE

IOCs tracked for this family

64 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
60 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
2 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
2 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app10 months ago
ip.v4●●●●●●●●●●●●View more in app10 months ago
ip.v4●●●●●●●●●●●●View more in app10 months ago
ip.v4●●●●●●●●●●●●View more in app10 months ago
ip.v4●●●●●●●●●●●●View more in app10 months ago
ip.v4●●●●●●●●●●●●View more in app10 months ago
ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Go-based RAT capable of targeting Windows and Linux systems (per excerpt).

Read more
sysdig blogNews
Oct 6, 2025
Sysdig Security Briefing: October 2025

A remote access trojan (RAT) written in Go, targeting Linux and Windows, with custom C2 capabilities and active development focused on detection evasion.

Read more
risky biz rssNews
Sep 10, 2025
Risky Bulletin: US charges major ransomware figure

Go-based remote access trojan capable of running on Linux and Windows, providing persistent access to attackers.

Read more
the hacker newsNews
Sep 10, 2025
CHILLYHELL macOS Backdoor and ZynorRAT RAT Threaten macOS, Windows, and Linux Systems

A Go-based remote access trojan targeting Windows and Linux. It uses Telegram as C2 and supports file exfiltration, system enumeration, screenshot capture, arbitrary command execution, process listing and killing, and persistence via systemd services.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching64

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping14

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.